Name: Jeremy Rossi Description: Project: Puzzle 2 - Ann Skips Bail Submitted by: Jeremy Rossi Briefing: You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including: 1. What is Annís email address? 2. What is Annís email password? 3. What is Annís secret loverís email address? 4. What two items did Ann tell her secret lover to bring? 5. What is the NAME of the attachment Ann sent to her secret lover? 6. What is the MD5sum of the attachment Ann sent to her secret lover? 7. In what CITY and COUNTRY is their rendez-vous point? 8. What is the MD5sum of the image embedded in the document? Required Tools: tcpflow http://freshmeat.net/projects/tcpflow/ Used version 0.21-1 python http://www.python.org/ Used version 2.5 and 2.6 Description: The initial idea was to write the entire process in Python, but after starting to write the code, I found that tcpflow can handle parsing the pcap the Python code can be used to present the data and analyze the output. I called the Python script findsmtpinfo.py. The script creates a report of the SMTP information, stores any emails in msg format, stores any attachments from the emails, decompresses them if they are a compressed format (zip, docx), checks MD5 hashes of all files including the msg files (and generates MD5 hash of output report). So the Python script makes use of three arguments: -p|--pcap This argument specifies the pcap file -r|--report This argument specifies the report output directory [Defaults to ./report] -f|--force If the report directory has files already, this argument is required to allow overwriting of files findsmtpinfo.py -p evidence02.pcap -r ./report When run, the script will execute tcpflow which creates individual files for each tcp flow. For this particular pcap it created 4 files: Flow 1: from the suspect machine to the server Flow 2: from the server back to the suspect machine Flow 3: another flow from the suspect machine to the server Flow 4: another flow from the server back to the suspect machine The script reads any files generated by tcpflow, and parses them for useful information. In this example, two email message files are generated by the script. They are stored in the report directory in a subdirectory called messages each in its own subdirectory. We see that there are two directories under messages, 1 and 2, so we have two emails to inspect. The script placed msg files in each, so we can easily look at the emails in full. Also note the html files as well, telling us Ann used a client that wrote the email in HTML format. We can see in message that Ann told sec558@gmail.com that she will be heading out of town. Message 2 is significant in our evidence as it is an exchange with MisterSecretX. From message 2, we have found the following information: Ann's address: sneakyg33k@aol.com Secret Lover Address: mistersecretx@aol.com Items to bring: fake passport & bathing suit Name of attachment: secretrendezvous.docx The script has stored the attachment in the directory as well. Opening the docx, we can see that it contains a map with the location: 1 Av. Constituyentes 1 Calle 10 x la 5ta Avenida Playa del Carmen, 77780, Mexico 01 984 873 4000 Since the script detected the attachment is compressed, it uncompressed it and created a directory with all its contents, included the embedded image file. The report of the script checks MD5 hash of every file, including the embedded files, and we see that the two hashes we are looking for are: secretrendezvous.docx: 9e423e11db88f01bbff81172839e1923 embedded image: aadeace50997b1ba24b09ac2ef1940b7 Another important feature of the script, is that in addition to the getting the email messages, it looks at the information between the AUTH LOGIN and MAIL FROM smtp commands, which contains two lines that are encoded, the username and the password. The script decodes these values and we can see that Ann's username is sneakyg33k@aol.com and the password is 558r00lz. The report (output.report.txt) also shows us this information (report is appended at the bottom of this text). 1. What is Annís email address? sneakyg33k@aol.com 2. What is Annís email password? 558r00lz 3. What is Annís secret loverís email address? mistersecretx@aol.com 4. What two items did Ann tell her secret lover to bring? fake passport & bathing suit 5. What is the NAME of the attachment Ann sent to her secret lover? secretrendezvous.docx 6. What is the MD5sum of the attachment Ann sent to her secret lover? 9e423e11db88f01bbff81172839e1923 7. In what CITY and COUNTRY is their rendez-vous point? Playa del Carmen, Mexico 8. What is the MD5sum of the image embedded in the document? aadeace50997b1ba24b09ac2ef1940b7 NOTE: The script in this case focused on SMTP, but is extensible to be used for any line based protocol (POP,IMAP,etc) The following is the output report generated by the script (output-report.txt): Generated report: ---------------------------------------- Report: 192.168.001.159.01036-064.012.102.142.00587 ---------------------------------------- Found SMTP Session data SMTP AUTH Login: sneakyg33k@aol.com SMTP AUTH Password: 558r00lz SMTP MAIL FROM: SMTP RCPT TO: Found email Messages - Writing to file: ./report/messages/1/192.168.001.159.01036-064.012.102.142.00587.msg - MD5 of msg: e295a3990b3987a8864383832fea6df9 - Found Attachment - Writing to filename: ./report/messages/1/part-001.ksh - Type of Attachement: text/plain - MDS of Attachement: 541812ed71a51b9c1ae07741ed5ae63c - Found Attachment - Writing to filename: ./report/messages/1/part-001.html - Type of Attachement: text/html - MDS of Attachement: 18d3f88dbc6b152aba923e8c083033f9 ---------------------------------------- Report: 064.012.102.142.00587-192.168.001.159.01038 ---------------------------------------- Found SMTP Session data ---------------------------------------- Report: 064.012.102.142.00587-192.168.001.159.01036 ---------------------------------------- Found SMTP Session data ---------------------------------------- Report: 192.168.001.159.01038-064.012.102.142.00587 ---------------------------------------- Found SMTP Session data SMTP AUTH Login: sneakyg33k@aol.com SMTP AUTH Password: 558r00lz SMTP MAIL FROM: SMTP RCPT TO: Found email Messages - Writing to file: ./report/messages/2/192.168.001.159.01038-064.012.102.142.00587.msg - MD5 of msg: 844661d8332eb00e537a8b15deedf269 - Found Attachment - Writing to filename: ./report/messages/2/part-001.ksh - Type of Attachement: text/plain - MDS of Attachement: ba2c98f65f3f678b6a71570adcf362f4 - Found Attachment - Writing to filename: ./report/messages/2/part-001.html - Type of Attachement: text/html - MDS of Attachement: d07c3b721fed36a725c01e4827c1a563 - Found Attachment - Writing to filename: ./report/messages/2/secretrendezvous.docx - Type of Attachement: application/octet-stream - MDS of Attachement: 9e423e11db88f01bbff81172839e1923 - ZIP Archive attachment extracting - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/[Content_Types].xml - Type of file: text/xml - MDS of File: f7a7f13f9d124fcc3527e57f342a0979 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/_rels/.rels - Type of file: None - MDS of File: 77bf61733a633ea617a4db76ef769a4d - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/_rels/document.xml.rels - Type of file: None - MDS of File: c9c49c2d0f5b9a5ce63d1e0d86bb5e25 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/document.xml - Type of file: text/xml - MDS of File: 5b1a947f30db83f4170b009dedd38fab - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/media/image1.png - Type of file: image/png - MDS of File: aadeace50997b1ba24b09ac2ef1940b7 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/theme/theme1.xml - Type of file: text/xml - MDS of File: 9d84374caf9c73ec77677afd23cb7b22 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/settings.xml - Type of file: text/xml - MDS of File: 4788c0aa840fb18d7e5bd74936317dcc - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/webSettings.xml - Type of file: text/xml - MDS of File: 15065d2de3eddbb09d84337a09fd7985 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/styles.xml - Type of file: text/xml - MDS of File: d0c2c9bec6e9c2597b174ababf1b2191 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/docProps/core.xml - Type of file: text/xml - MDS of File: 32ecd3799f69751a53ce10825372fd36 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/numbering.xml - Type of file: text/xml - MDS of File: 5583fc19ed6bdf4ee5402f32ef42c492 - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/word/fontTable.xml - Type of file: text/xml - MDS of File: de2ae9c06e07370391b996f069f1dfba - Found file - Writing to filename: ./report/messages/2/secretrendezvous.docx.unzipped/docProps/app.xml - Type of file: text/xml - MDS of File: b3923a08674ac7c56babca89c3409107 Directory listing of all files created: ./report ./report/flows ./report/flows/raw.pcap ./report/flows/064.012.102.142.00587-192.168.001.159.01036 ./report/flows/192.168.001.159.01036-064.012.102.142.00587 ./report/flows/064.012.102.142.00587-192.168.001.159.01038 ./report/flows/192.168.001.159.01038-064.012.102.142.00587 ./report/messages ./report/messages/1 ./report/messages/1/192.168.001.159.01036-064.012.102.142.00587.msg ./report/messages/1/part-001.ksh ./report/messages/1/part-001.html ./report/messages/2 ./report/messages/2/192.168.001.159.01038-064.012.102.142.00587.msg ./report/messages/2/part-001.ksh ./report/messages/2/part-001.html ./report/messages/2/secretrendezvous.docx ./report/messages/2/secretrendezvous.docx.unzipped ./report/messages/2/secretrendezvous.docx.unzipped/[Content_Types].xml ./report/messages/2/secretrendezvous.docx.unzipped/_rels ./report/messages/2/secretrendezvous.docx.unzipped/_rels/.rels ./report/messages/2/secretrendezvous.docx.unzipped/word ./report/messages/2/secretrendezvous.docx.unzipped/word/_rels ./report/messages/2/secretrendezvous.docx.unzipped/word/_rels/document.xml.rels ./report/messages/2/secretrendezvous.docx.unzipped/word/document.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/media ./report/messages/2/secretrendezvous.docx.unzipped/word/media/image1.png ./report/messages/2/secretrendezvous.docx.unzipped/word/theme ./report/messages/2/secretrendezvous.docx.unzipped/word/theme/theme1.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/settings.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/webSettings.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/styles.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/numbering.xml ./report/messages/2/secretrendezvous.docx.unzipped/word/fontTable.xml ./report/messages/2/secretrendezvous.docx.unzipped/docProps ./report/messages/2/secretrendezvous.docx.unzipped/docProps/core.xml ./report/messages/2/secretrendezvous.docx.unzipped/docProps/app.xml ./report/output-report.txt